Michael Koby

The Electronic Frontier Foundation has published an article about a research paper that shows how popular disk encryption software can be defeated. The article (found here) explains that popular disk encryption programs like BitLocker (Windows Vista’s disk encryption program) and open source favorite, TrueCrypt, are not invulnerable to the suggested attacks.

The main issue revolves around data being stored in the computers RAM after a computer has been powered off or is in sleep/hibernation mode. Programs can be written to retrieve data out of RAM once the computer has been turned back on giving a malicious user access to the passwords used to access the encrypted drives. The article or the paper it references do not mention how long a computer needs to be turned off for the memory remnants to fully leave the system. Though they do mention that it can stay in memory up to a full minute at room temperature (even longer the colder it gets). You can read the full paper, at Lest We Remember: Cold Boot Attacks on Encryption Keys.

What does this mean exactly? Well it just further proves that no level of security is full proof. No matter how hard you try, someone can, with enough time and work, get to your data. This does not mean that one should make it easy for the hacker. The general idea behind security, no matter if its disk encryption or strong passwords, is simply to make the hacker’s life more difficult when it comes to getting to your data. The harder it is for someone to get to your data, the more chances you have of them giving up and moving on. There are plenty of people in the world that do not take the extra steps to secure their private data, so they will more often than not, move on to someone that does not take those steps. The general idea here is time spent versus rewards. Chances are, if you are taking those extra steps, you probably are smart enough to not have any data that is really worth having on the computer, or at least not in large quantities.

Security is important and more people should consider the data they store on their hard disks, USB flash drives, or anywhere else in digital format for that matter. If you are going to store sensitive data, take the extra steps to secure it. Even though the disk encryption programs have a flaw does not mean that the hacker is going to go through the trouble. Just because security can be broken does not mean that one should not take proper steps to ensure the security of their sensitive data.

I just read in my Google Reader that the new Spread OpenID website launched today.  I think the general idea behind OpenID is a great one, so do not mistake the following comments as something negative towards OpenID.  We desperately need something like OpenID in this day and age.  The ability to have a single non-centralized login is great.  Especially one that embraces open standards.  For more information on OpenID, you can look at my own writings in my article entitled All About OpenID.

Now, on to the question in the subject.  The new website Spread OpenID, is a play on the SpreadFirefox web site that has been around for quite some time now.  These websites are started as efforts to bring the product to a wider audience.  They offer up for download graphical icons that can be placed on websites or in forum signatures and so forth as a way of promoting the product.  Basically if you really like whatever it is they are trying to “spread” they offer some ways to do it.

My question is, do the sites really work?  I mean Firefox is doing fine true, but that was more due to the full page New York Times ad that SpreadFirefox helped raise money for.  So while the website itself brought the community together for the purpose of marketing, is it the website or rather the efforts of those behind the website that are helping the products?  I guess one could argue that they are one and the same.  However, why create a second website?  OpenID already has a pretty nice looking website (OpenID.net).  Does it really need a second one to explain the benefits and such of OpenID?

Maybe products that have a strong following (life OpenID & Firefox) can benefit from websites such as these.  I think that it might be good to revisit this issue in one year’s time to see how much adoption OpenID sees.  The hard part of course is determining how much of that adoption was a result of the Spread OpenID website.

Update 2:45pm (time from Scoble’s blog): Rober Scoble has been let back into Facebook.

Robert Scoble, popular blogger, internet star has had his Facebook account disabled after running script from an unknown company against his Facebook account in an attempt to copy his “social graph” to other networks.

Now, the running of scripts against Facebook is definitely against the terms of service of Facebook.  However, is running scripts against your own data wrong?  It is really hard to argue this because the Terms of Service for a website is for the website site as a whole which in affect includes your data.

So it calls into question, who exactly owns the data on the social network sites?  We all automatically assume that because we put the data there, add the friends, make the connections, install the applications (linking them to their respective site where applicable) that we own that data.  After all the data is about us.  We input it, why should we not own it?  That is where the privacy issues come from.  If you don’t own the data on a social networking site, then  who does own the data, and what can they legally do with that data?  These are some serious issues to concern yourself with.  If you do not own that data and the site can do with it whatever it pleases, then you basically have zero privacy when it comes to your data on that particular site.

The solution for the problem at hand is to rework the terms of service to allow a user to copy the data they input.  There should also be switches in place to dictate what data can be exported to certain people.  Just like you can decide what’s public and so forth on Facebook, you should be allowed to decide what data your “friends” can export out.  A lot of people would probably turn this off, but that does not mean that the feature is not functionable.

I think first and foremost though, it needs to be determined who owns what data.  And it is a decision that all social networks should make (I am looking at you MySpace, LinkedIn, & Twitter).  Once the line has been drawn then the users can decide who they want to have their data.  I’m pretty sure most people are not going to cancel their accounts based solely on this issue (though several might).  But as the internet becomes a haven for your personal data on websites, who owns your data and the privacy implications of that question should be considered more and more.

So over the Christmas holidays, Google added a feature to Google Reader that caused some privacy concerns.  While I’m not sure why everyone was in such a fit about it, because the feature was in fact called “Shared Items” so I don’t understand how that could be mis-interpreted.

But now there are rumors that Google is going to implement a Facebook News like feed for your Gmail contacts.  Many people are comparing this to both Facebook and Plaxo (a contact management website that allows you to sync your contacts and ask them update their contact info).  Plaxo is taking a little more heat for it’s Plaxo pulse which allows you to add things like your blog, your Flickr account, Twitter, and even your Amazon Wishlist to the pulse and have it send out updates to your contacts.  Why Plaxo is taking the hit for this, again I do not understand.  For one thing you have to actually opt-in for the service and two your friends have to “connect” with you to receive your pulse updates.  So both sides have to opt-in for it to work.

Now there is no word on if there is going to be an “opt-out” switch on this new Gmail contact news like feed, but I’m sure there will be.  But what has me a little annoyed is everyone freaking out about Google with regards to their data.  First off, Google has done very little (if anything) that is considered “evil” with your data.  Secondly, if you actually read the terms of service on several Google products you’d be surprised what they might be allowed to someday do.  By simply using Google products you are allowing them to look at and possibly use any data they can off of you.  Heck, Google does read your email but only so it can show Adsense ads that go along with what the email your reading is about.

Google pretty much controls the internet.  If you are like me, and use their products, they probably have a good amount of data on you.  Does this mean they are going to spread it out all over the internet?  Not really.  I think people are making a big deal about nothing with these issues.  Especially in comparing Google to Plaxo.  Plaxo’s terms of service is really creepy, more so than any of Google’s.  If you are really worried about what companies are going to be doing with your data, then you should start reading the terms of service and license agreements more frequently.  You might find out that you really just shouldn’t be storing personal data on the internet.